OCR Settles HIPAA Investigation With Revenue Cycle Management Company

May 16, 2023 - The HHS Office for Civil Rights (OCR) settled a HIPAA investigation with MedEvolve, an Arkansas-based business associate that provides revenue cycle management, practice management, and practice analytics software to healthcare organizations. MedEvolve agreed to pay $350,000 to OCR and implement a variety of corrective actions.

In July 2018, MedEvolve reported a healthcare data breach to HHS after discovering that an FTP server containing protected health information (PHI) was accessible to the internet. The breach impacted more than 230,000 individuals and exposed patient names, phone numbers, billing addresses, health insurer information, and Social Security numbers.

Following the notification, OCR launched an investigation into the incident. OCR investigates every report it receives regarding breaches that impact more than 500 individuals.

OCR investigated a variety of potential HIPAA violations within this case, including an alleged failure to enter into a business associate agreement (BAA) with a subcontractor and the lack of analysis by MedEvolve to determine risks and vulnerabilities to electronic PHI across the organization.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

In addition to the monetary settlement, MedEvolve agreed to conduct a thorough risk analysis to determine vulnerabilities across the organization, develop and maintain written policies and procedures to comply with HIPAA, and update its security training program for all MedEvolve workforce members who have access to PHI.

Additionally, MedEvolve is required to report to HHS within 60 days when workforce members fail to comply with the company’s policies regarding the HIPAA Privacy and Security Rules.

“Hacking/IT incidents was the most frequent (79 [percent]) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals,” the announcement stated.

“It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.”